← Back to Free BC Review form

Setup walkthrough

A ~10–15 minute guide that grants Amplio read-only access to review your Business Central setup across all your companies. There are two parts: Part A creates an app in Microsoft Entra (Azure AD) so it can sign in; Part B registers that app inside Business Central so it is allowed to read your data. You need both. You will collect four values to send back to Amplio.

At a glance

Two short jobs. Part A needs a Microsoft Entra (Azure AD) Global Admin; Part B needs a Business Central admin.

Part A · Microsoft Entra (Azure AD)

Create the app & sign-in identity

  1. Register the app (single tenant)
  2. Copy Tenant ID & Client ID
  3. Add BC API permissions → Grant admin consent
  4. Create a client secret → copy its Value
Part B · Business Central

Authorise the app to read your data

  1. Open Microsoft Entra Applications
  2. New → paste the Client ID + a description
  3. Assign a permission set (Company = blank = all)
  4. Grant Consent → set State = Enabled
Why both? Azure (Part A) lets the app authenticate. Business Central (Part B) is what authorises it to read your data. With only Part A, the token is valid but BC rejects every call with 401 Authentication_InvalidCredentials.

What you'll do

  1. Before you start — what you need
  2. Part A — Microsoft Entra (Azure AD)
  3. Sign in to the Azure portal in the right tenant
  4. Create the App registration (single tenant)
  5. Copy the Tenant ID and Client ID
  6. Add the Business Central API permissions & grant admin consent
  7. Create the client secret (copy the Value)
  8. Part B — Business Central
  9. Open "Microsoft Entra Applications" in BC
  10. Create the application entry (paste the Client ID)
  11. Assign the permission set (across all companies)
  12. Grant Consent, then set State = Enabled
  13. Finish
  14. Send the four values to Amplio
  15. Troubleshooting

Before you start

Confirm these points first — skipping any of them is the most common cause of a stalled review.

Read-only, then gone. Amplio's scanner authenticates as the app you create, reads configuration metadata for the review modules, and disconnects. The client secret is encrypted before storage and deleted after the report is sent. We never act on behalf of a signed-in user, and the review never writes to your data.

Part A — Microsoft Entra (Azure AD)

Portal: entra.microsoft.com (or portal.azure.comMicrosoft Entra ID). This creates the app and its sign-in credentials.

1Sign in to the Azure portal in the right tenant

Open a private / incognito window so you don't pick up a stale Microsoft session from a different tenant. Go to https://entra.microsoft.com and sign in with the admin account of the directory that hosts your Business Central environment.

Click the avatar (top-right) to confirm the directory name. If it's the wrong tenant, click Switch directory and pick the right one before continuing.

Screenshot: Microsoft Entra admin centre home with the directory / tenant selector (top-right avatar menu) showing the correct organisation.

2Create the App registration (single tenant)

In the left nav go to Applications → App registrations, then click + New registration and fill it in:

  • Name: Amplio BC System Review — makes it obvious this is a review identity.
  • Supported account types: Accounts in this organizational directory only (Single tenant). The scanner doesn't need multi-tenant, and the tighter scope is safer.
  • Redirect URI: leave it blank. The scanner uses the client-credentials (app-only) OAuth flow, which never redirects a browser.

Click Register. Azure lands you on the app's Overview page.

Screenshot: the Register an application form with the name filled in, Single tenant selected, and the Redirect URI left empty.

3Copy the Tenant ID and Client ID

On the app's Overview page, find the Essentials box and copy:

  • Directory (tenant) ID — this is value ① Tenant ID.
  • Application (client) ID — this is value ② Client ID.

Both are UUIDs like 11111111-2222-3333-4444-555555555555 (36 characters incl. hyphens). Save both to your password manager.

Screenshot: the app Overview → Essentials panel with Application (client) ID and Directory (tenant) ID highlighted.

4Add the Business Central API permissions & grant admin consent

In the app's left nav click API permissions → + Add a permission. In the blade:

  1. Open the APIs my organization uses tab and search Dynamics 365 Business Central; select it.
  2. Choose Application permissions (not Delegated) — app-only is what the client-credentials flow needs.
  3. Tick:
    • API.ReadWrite.All — required (full access to the BC web-services API).
    • Automation.ReadWrite.All — required for full setup coverage.
  4. Click Add permissions.
  5. Back on the API permissions page click Grant admin consent for <your org> and confirm. Each permission's Status must turn to a green Granted tick.
"Grant admin consent" greyed out? You're signed in without the right admin role. Send the app's URL to a Global Administrator and ask them to click Grant admin consent — nothing else — then carry on.
Why it matters: without admin consent the token comes back with no roles, and Business Central rejects it.  Why ReadWrite? BC publishes the broad API.ReadWrite.All scope; there is no narrower published equivalent. The permission is granted to the app you own — Amplio's scan code is read-only and never calls a write endpoint.
Screenshot: the API permissions list showing API.ReadWrite.All + Automation.ReadWrite.All under Dynamics 365 Business Central, each with a green Granted for <org> tick.

5Create the client secret (copy the Value)

In the app's left nav click Certificates & secrets → Client secrets → + New client secret:

  • Description: Amplio BC Review
  • Expires: 12–24 months (do not pick Never — long-lived secrets are an audit liability).

Click Add, then immediately copy the Value — this is value ③ Client secret.

Copy the Value, NOT the Secret ID. The Value is a longer string of letters/digits/symbols and is shown only once — leave the page and you can't see it again (you'd create a new secret). The Secret ID is a GUID and will not work.
Screenshot: the Client secrets tab right after Add, with the Value column (not Secret ID) and its copy icon highlighted.

Part B — Business Central

Sign in to Business Central as an admin. This is what authorises the app to read your data — do it once per environment you want reviewed.

6Open "Microsoft Entra Applications" in BC

In Business Central, click the search 🔍 (Tell me what you want to do), type Microsoft Entra Applications and open it.

On older BC versions this page is called Azure Active Directory Applications / AAD Applications — same page.
Screenshot: the BC Tell me search showing the Microsoft Entra Applications result.

7Create the application entry (paste the Client ID)

On the Microsoft Entra Applications list, click New:

  • Client ID — paste the Application (client) ID from step 3 (the app's ID, not the secret).
  • Description — e.g. Amplio System Review (free text, for your reference).
  • Leave State = Disabled for now — you enable it at the end (step 9), after consent + permissions are set.
Screenshot: a new Microsoft Entra Application card with the Client ID pasted, a Description, and State = Disabled.

8Assign the permission set (across all companies)

On the application card, find the User Permission Sets lines (lower part of the page). Add a line and pick a permission set:

  • D365 READ — read-only across BC; the least-privilege option for a review-only app (recommended).
  • or D365 BUS PREMIUM — full functional access; what Amplio verified end-to-end. Fine for a trusted review.

Leave the Company field on the line blank so the set applies to all companies (a value there would limit the app to that one company).

You cannot assign SUPER. Business Central blocks SUPER for Entra Applications — use D365 READ or D365 BUS PREMIUM instead.
Screenshot: the application card's User Permission Sets grid with a D365 READ (or D365 BUS PREMIUM) line and the Company column left blank.

9Grant Consent, then set State = Enabled

On the application card, click Grant Consent (in the actions / ribbon). A Microsoft sign-in opens — sign in as a Global / BC admin and approve. BC records the consent.

Then set State = Enabled and save.

Order matters: permissions + consent first, then Enabled. An Enabled app with no permission set or no consent will still return 401.
Screenshot: the application card after Grant Consent, with State = Enabled.

10Send the four values to Amplio

You should now have four values. Paste them into the Free BC Review form (or send them securely — not plain email):

#ValueWhere it came from
Tenant ID (Directory ID)Entra app Overview — step 3
Client ID (Application ID)Entra app Overview — step 3
Client secret (the Value)Entra → Certificates & secrets — step 5
Environment nameBusiness Central (e.g. Production)

Amplio confirms it can read your setup and emails a branded report within one business day.

Troubleshooting

AADSTS7000215: Invalid client secret
The Secret ID (a GUID) was sent instead of the secret Value. Re-do step 5 and copy the Value.
Token has no roles / roles: null
Admin consent wasn't granted in step 4. Open API permissions and click Grant admin consent.
401 Authentication_InvalidCredentials from Business Central
The app isn't registered in BC (Part B), its State isn't Enabled, or no permission set is assigned. Check steps 7–9.
Most companies read, but a few fail with "licence has expired / trial ended"
Those specific companies are usually in a genuine trial-expired / evaluation state (common for throwaway test companies), or the permission set doesn't cover them. Confirm the company is licensed; a tenant-wide read set (D365 READ) with Company blank covers every company the app can sign into.

Still stuck? Email reviews@ampliosolutions.co.uk with a screenshot of the step you're on. We reply within one working day.